How to create federation metadata XML for "Relying Party Trust" and "Claims Provider Trusts" for ADFS 2.0

Yadong picture Yadong · Nov 21, 2014 · Viewed 95.2k times · Source

One of our web app would like to connect with ADFS 2.0 server to get credential token and check the user roles based on that. The ADFS server admin asked us to give them a federation metadata XML file to let them create Relying Party Trusts. I googled and only find how to download the ADFS server's federation metadata XML using URL - https://[adfs server name]/federationmetadata/2007-06/federationmetadata.xml But could didn't find any guide to create a federation metadata XML for creating "Relying Party Trust" and "Claims Provider Trusts". Is there a tools for creating those metadata files? Please share some idea for how to create.

Thanks

Lu

Answer my own question:

I found the Federation Utility tools in WindowsIdentityFoundation-SDK-4.0 at http://www.microsoft.com/en-ca/download/details.aspx?id=4451 will do it.

Answer

rbrayb picture rbrayb · Nov 23, 2014

Actually the URL is

https://server/federationmetadata/2007-06/federationmetadata.xml

There are no tools that I an aware of.

You can use the Microsoft.IdentityModel.Protocols.WSFederation.Metadata class or refer Generating Federation Metadata Dynamically.

Have a look at "Thinktecture.IdentityServer.v2 / src / Libraries / Thinktecture.IdentityServer.Protocols / FederationMetadata" over at Thinktecture.IdentityServer.v2.

Or if your application uses WIF it's in the metadata directory.

Update:

In WIF, unless you want to the token to be encrypted, you don't need the certificate. That's more for the ADFS side as it has to sign the token and the app. needs the public key to verify.

Example:

<?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor ID="_5b6cd05c-a5e3-470d-a2fc-6c6f66633d1b" entityID="http://localhost/app/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <RoleDescriptor xsi:type="fed:ApplicationServiceType" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <fed:ClaimTypesRequested>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
        </fed:ClaimTypesRequested>
        <fed:TargetScopes>
            <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
                <Address>http://localhost/app/</Address>
            </EndpointReference>
        </fed:TargetScopes>
        <fed:PassiveRequestorEndpoint>
            <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
                <Address>http://localhost/app/</Address>
            </EndpointReference>
        </fed:PassiveRequestorEndpoint>
    </RoleDescriptor>
</EntityDescriptor>

where localhost\app\ needs to be your app's URL. Note end slash!